Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Should all applicable controls from Annex A to be fully implemented by the time

Should all applicable controls from Annex A to be fully implemented by the time of the certification audit? What proportion of the controls is acceptable in the status Partially implemented or Planned at the time of the certification audit ? How auditors regard such statuses in SOA? Could this lead to a denial of the issue of the ISO 27001 certificate?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Answer: Ideal situation would be to implement all the controls marked as applicable in the Statement of Applicability prior to certification audit.

You could leave less significant controls to be implemented after the certification, under the following conditions: (1) to plan their implementation in the Risk treatment plan, and (2) to accept all the residual risks that were not decreased. There is no magic number on the proportion of how many controls must be implemented, and it is in the certification auditor's discretion to raise a non-conformity in su ch cases. Therefore, to be safe you should implement majority of controls prior to certification audit and make sure you implement all the most important ones.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community